-
Notifications
You must be signed in to change notification settings - Fork 0
chore(deps): update devdependency codecov to v3.7.1 [security]#51
Open
renovate[bot] wants to merge 1 commit intomaster from
Open
chore(deps): update devdependency codecov to v3.7.1 [security] #51renovate[bot] wants to merge 1 commit intomaster from
renovate[bot] wants to merge 1 commit intomaster from
Conversation
Codecov Report
Merging #51 (6d04d29) into master (34f27b1) will not change coverage.
The diff coverage isn/a.
❗ Current head 6d04d29 differs from pull request most recent head e90c099. Consider uploading reports for the commit e90c099 to get more accurate results
@@ Coverage Diff @@ ## master #51 +/- ## ========================================= Coverage 100.00% 100.00% ========================================= Files 18 18 Lines 347 365 +18 Branches 97 110 +13 ========================================= + Hits 347 365 +18
see 9 files with indirect coverage changes
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
May 7, 2020 17:58
263d950 to
99422a8
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
2 times, most recently
from
July 5, 2020 04:59
a9d2840 to
2b47e71
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
August 26, 2020 00:58
2b47e71 to
af3f65f
Compare
@renovate
renovate
bot
changed the title
(削除) chore(deps): update devdependency codecov to v3.6.5 [security] (削除ここまで)
(追記) chore(deps): update devdependency codecov to v3.7.1 [security] (追記ここまで)
Aug 26, 2020
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
October 28, 2020 15:59
af3f65f to
48a0956
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
November 25, 2020 23:00
48a0956 to
f30d58c
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
December 11, 2020 02:53
f30d58c to
d56e123
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
April 26, 2021 17:12
d56e123 to
d4a3d41
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
May 9, 2021 21:02
d4a3d41 to
6d04d29
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
March 7, 2022 14:11
6d04d29 to
058b2e7
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
March 26, 2022 12:03
058b2e7 to
a072bb1
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
April 25, 2022 00:20
a072bb1 to
53f840d
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
June 18, 2022 20:08
53f840d to
1e5a446
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
March 18, 2023 17:55
1e5a446 to
83b559e
Compare
Contributor
Author
⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: yarn.lock
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
March 24, 2023 22:04
83b559e to
e90c099
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
2 times, most recently
from
January 30, 2025 18:52
7ca7c5a to
f1b5898
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
May 19, 2025 18:01
f1b5898 to
726f100
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
June 22, 2025 13:08
726f100 to
7f7aac9
Compare
@renovate
renovate
bot
force-pushed
the
renovate/npm-codecov-vulnerability
branch
from
September 25, 2025 16:43
7f7aac9 to
d24469c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
3.5.0→3.7.1GitHub Vulnerability Alerts
CVE-2020-7597
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.
CVE-2020-15123
Impact
The
uploadmethod has a command injection vulnerability. Clients of thecodecov-nodelibrary are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked
&, and command injection is still possible using backticks instead to bypass the sanitizer.We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the
codecov-nodeproject here.Patches
This has been patched in version 3.7.1
Workarounds
None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.
References
For more information
If you have any questions or comments about this advisory:
CVE-2020-7596
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
Release Notes
codecov/codecov-node (codecov)
v3.7.1Compare Source
v3.7.0Compare Source
v3.6.5Compare Source
v3.6.4Compare Source
v3.6.3Compare Source
v3.6.2Compare Source
v3.6.1Compare Source
v3.6.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.